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Abstract 

Quantum key distribution, first proposed by Bennett 
and Brassard, provides a possible key distribution scheme 
whose security depends only on the quantum laws of 
physics. So far the protocol has been proved secure even 
under channel noise and detector faults of the receiver, but 
is vulnerable if the photon source used is imperfect. In this 
paper we propose and give a concrete design for a new con- 
cept, self-checking source, which requires the manufacturer 
of the photon source to provide certain tests; these tests are 
designed such that, if passed, the source is guaranteed to 
be adequate for the security of the quantum key distribution 
protocol, even though the testing devices may not be built 
to the original specification. The main mathematical re- 
sult is a structural theorem which states that, for any state 
in a Hilbert space, if certain EPR-type equations are sat- 
isfied, the state must be essentially the orthogonal sum of 
EPR pairs. 



1 Introduction 

In 1984, Bennett and Brassard ^ proposed a rev- 
olutionary concept that key distribution may be accom- 
plished through public communications in quantum chan- 
nels. Hopefully, the privacy of the resulted key is to be 
guaranteed by quantum physical laws alone, quite indepen- 
dent of how much computational resource is available to the 
adversary. The primary quantum phase of the proposed pro- 
tocol is a sequence of single photons produced by Alice (the 
sender) and detected by Bob (the receiver). 

The security proof of the BB84-protocol (or its many 
variants) for adversaries with unrestricted power is a dif- 
ficult mathematical problem, and has only been achieved 
with any generality in the last few years. In brief, the BB84- 
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protocol is secure even with channel noise and possible de- 
tector faults for Bob, provided that the apparatus used by 
Alice to produce the photons is perfect. The purpose of 
this paper is to remove this last assumption, by propos- 
ing and giving a concrete design for a new concept, self- 
checking source, which requires the manufacturer of the 
photon source to provide certain tests; these tests are de- 
signed such that, if passed, the source is guaranteed to be 
adequate for the security of the BB84-protocol, even though 
the testing devices may not be built to the original specifi- 
cation. A self-checking source must receive inputs from 
multiple locations (two in our case) and returns classical 
outcomes at these locations. The test needs only to consider 
the classical inputs and the classical outcomes. 

It is well known that there are clever ways to construct 
imperfect sources for the coding used in the BB84-protocol 
that behave quite normal on the surface, but seriously com- 
promise the security. In other words, the BB84 coding to- 
gether with the standard test executed in the BB84-protcol 
are problematic because the external data can be reproduced 
by quantum apparatus which are not secure at all. We pro- 
pose a different source that is self-checking and yet can be 
used to generate the BB84 coding. Our result means that 
one does not have to perform an infinite number of ways 
to check all possible devious constructions. In some ways 
our test can be regarded as simple self-testing quantum pro- 
grams. Our result requires that, when the inputs to the 
source are fixed, the distribution of probability for the clas- 
sical outcomes is also fixed. 

Our result is that, if these distributions of probability (as- 
sociated with the different inputs) are exactly as in the spec- 
ification for our self-checking source, the state transmitted 
is a direct sum of states that are individually normally emit- 
ted by a perfect source. In practice, we cannot expect these 
probabilities to be exactly as in the specification for the self- 
checking source. However, one can test that they are not too 
far away from this specification. Furthermore, one should 
expect that the closer to their specified values these proba- 
bilities will be, the closer to the direct sum described above 



the source will be. This is usually sufficient to prove secu- 
rity. 

In Section 2, we show how the main mathematical ques- 
tion arises from the security requirement from the BB84- 
protocol. In Section 3, the precise question is formulated, 
and the main theorem stated. The proof of the main theorem 
is given in Section 4. 
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2 Preliminaries 



Figure 1. The BB84 states 



Ideally, the objective of key distribution is to allow two 
participants, typically called Alice and Bob, who initially 
share no information, to share a secret random key (a string 
of bits) at the end. A third party, usually called Eve, should 
not be able to obtain any information about the key. In real- 
ity, this ideal objective cannot be realized, especially if we 
give unlimited power to the cheater, but a quantum protocol 
can achieve something close to it. See [|[] (and more re- 
cently [^8[) for a detailed specification of the quantum key 
distribution task. One of the greatest challenges in quan- 
tum cryptography is to prove that a quantum protocol ac- 
complishes the specified task. One can experimentally try 
different kinds of attacks, but one can never know in which 
way the quantum apparatus can be defective. In any case, 
such experiments are almost never done in practice because 
it is not the way to establish the security of quantum key dis- 
tribution. The correct way is a properly designed protocol 
together with a security proof. 

Recently, there has been a growing interest in practi- 
cal quantum cryptography and systems have been imple- 
mented [0 | § f§ | |. However, proving the secu- 
rity of quantum key distribution against all attacks turned 
out to be a serious challenge. During many years, many 
researchers directly or indirectly worked on this problem 

[0 h.b s eh pLm m muS mniBi- Using novel 

techniques [20[|2l|], a proof of security against all attacks 
for the quantum key distribution protocol of Bennett and 
Brassard was obtained in 199 6 [R2|- Related results were 
subsequently obtained Q |25[ |6j, but as yet [Q is the 
only known proof of security against all attacks. A more 
recent version of the proof with extension to the result is 
proposed in Also, the basic ideas of [k], [l7|] might 
lead to a complete solution if we accept fault tolerant com- 
putation (for example, see but this is not possible with 
current technology. 

In the quantum transmission, Alice sends n photons to 
Bob prepared individually in one of the four BB84 states 
uniformly picked at random. The BB84 states denoted 
6(0, 2), 6(1, 2), 6(0, 3) and 6(1, 3) correspond to a photon 
polarized at 0, 90, 45 and —45 degrees respectively (see fig- 
ure [j]). (We reserve the states 6(0, 1) and 6(1, 1) for further 
use: we will have to add two other states in our analysis.) 
Bob measures each photon using either the rectilinear ba- 



sis {6(0, 2), 6(1, 2)} or the diagonal basis {6(0, 3), 6(1, 3)} 
uniformly chosen at random. 

The basic idea of the protocol is the following. Both, Eve 
and Bob, do not know Alice's bases until after the quantum 
transmission. Eve cannot obtain information without creat- 
ing a disturbance which can be detected. Bob also disturbs 
the state when he uses the wrong basis, but this is not a 
problem. After the quantum transmission, Alice and Bob 
announce their bases. Alice and Bob share a bit when their 
bases are identical, so they know which bits they share. The 
key point is that it's too late for Eve because the photons are 
on Bob's side. However, the security of the protocol relies 
on the fact that the source behaves as specified, and this is 
the main subject of this paper. 

Informally, the source used in the original BB84- 
protocol [[7]] can be described as a blackbox with two but- 
tons on it: basel-button and base3-button. When Alice 
pushes the base2 -button, the output is either (0, 6(0, 2)) or 
(1, 6(1, 2)), where 6(0, 2) and 6(1, 2) form an orthonormal 
basis of a two-dimensional system Hb, with each possi- 
bility occurring with probability 1/2. After the basea- 
button is pushed, of the output (x, b(x, a)), only the vector 
b(x, a) goes out to Bob; bit x is only visible to Alice. Sim- 
ilarly, if Alice pushes the base3-button, the output is either 
(0,6(0,3)) or (1,6(1,3)), with each possibility occurring 
with probability 1/2, where 



6(0,3) = (6(0, 2) + 6(1, 2))/v/2, 
6(1,3) = (-6(0,2) + 6(l,2))/V2. 



(1) 



The suggested way in [0, to achieve the above is to 
have the blackbox generates a fixed state, say 6(0, 2), then 
the bit a; 6 {0, 1} is uniformly chosen at random and this 
state is rotated of an appropriate angle to create the desired 
state b(x,a) (assuming that the base a-button is pressed). 
The security proof of the protocol extends to sources be- 
yond mentioned above. To obtain our self-testing source, 
we need to consider a different type of sources. A con- 
jugate coding source S — (Ha <8> Hb, ^, M2, M3) con- 
sists of a pure state ^ in a Hilbert space Ha €5 Hb, and 
two measurements (each binary-valued) M 2 , M3 defined on 



Ha®Hb but operating only on coordinates in Ha- Pushing 
base2-button, base3-button performs respectively measure- 
ment M 2 , M 3 . (We have restricted the form of the initial 
state to be a pure state | vp) instead of a general mixed state. 
This is without loss of generality for our result, as we will 
see.) 

Let PaiPa> where a G {2,3}, denote the projection 
operators to the subspaces corresponding to the outcomes 
0, 1 for measurement M a . (We sometimes use the notation 
P^- to denote the measurement M a itself.) After perform- 
ing the measurement, only the coordinates in Hb are made 
available for transmission. Thus, if button a is pushed with 
outcome 0, the density operator in the transmitted beam is 
trA{Pa\^){^\Pa)- For convenience, we sometimes iden- 
tify + with 0, and — with 1. Thus, if button a is pushed 
with outcome x, the density operator is tr A {Pa\^) (^\P£)- 

The security proof of the protocol is valid if the source 
satisfies, for x G {0, 1}, the conditions 

tr A {P$\*)(*\PS) = \b(x,2))(b(x,2)\/2, 
tr A (PiW(*\P 3 x ) = |6( a ; J 3)><6( a 7,3)|/2 s (2) 

where (6(0, 2), 6(1, 2)) and (6(0, 3), 6(1, 3)) are orthonor- 
mal bases that satisfy equation (1). 

It is well known (and easy to see) that the fol- 
lowing source satisfies the above condition. Let H A , 
Hb each be a two-dimensional Hilbert space. Let 
(a(0,2),a(l,2)),(o(0,3),a(l,3)) be two pairs of or- 
thonormal bases of Ha related by equation (1); similarly 
let (6(0, 2), 6(1, 2)), (6(0, 3), 6(1, 3)) be two pairs of or- 
thonormal bases related by equation (1) for Hb- Let * be 
the Bell state (|a(0, 2))|6(0, 2)> + |a(l, 2))|6(1, 2)))/\/2 = 
(|a(0, 3))|6(0, 3)) + |o(l, 3))|6(1, 3)»/>/2. Let M 2 , M 3 be 
two measurements on H A ® Hb that operate only on the co- 
ordinates in Ha- The measurement M 2 consists of the two 
orthogonal subspaces |a(0, 2)) ® Hb, |a (1 , 2)) ® Hb- The 
measurement M 3 consists of the two orthogonal subspaces 
|o(0,3)) <g> H B , |a(l,3)) <g> H B - If we restrict them to H A 
only, the measurement M 2 , M 3 are the measurements in the 
bases (a(0, 2), a(l, 2)) and (a(0, 3), a(l, 3)) respectively. 
Clearly, (2) is true. We call this source the perfect system. 

More generally, the security proof extends to systems 
that behave like a mixture of orthogonal ideal systems. A 
source is an extended perfect system if there exist in Hb 
orthogonal two dimensional subspaces Hi (i G /, some in- 
dex set), with bi(x, 2), bi(x, 3) denoting states in Hi that 
respect the same ortogonality condition as the above states 
b(x, 2), 6 (a;, 3) in Hb and equation (1), such that for some 
probability distribution on i G /, 

trx(i?|*><*|i?) - \k(x,2))(bi(x, 2)|/2, 
iei 

tr A (P^)(^) = \bi(x,2)){bi(x,3)\/2(?) 
iei 



Now comes the question. If a manufacturer hands over 
a source and claims that it is a perfect system, how can we 
check this claims, or at least, makes sure that it is an ex- 
tended perfect system? 

If the source is a perfect system, let N 2 , A 3 be the mea- 
surements operating on Hb in exactly the same way as 
M 2 , M 3 on H A - That is, let R+, R~ (where a G {2, 3}) 
be the projection operators to subspaces by N a with out- 
come 0, 1; R%, R 2 project to H A ® |6(0, 2)), i?A® |&i,2())> 
and Rf,R 3 project to H A <g> |6(0,3)), H A <g> |6(1,3)>, 
respectively. Now observe that the following are true for 
a /3 G {2,3}, x,ye {+,-}, 

ll^l*)H 2 = 1/2, 
\\R y a P^)\\ 2 c 
ll^l*)ll 2 " *' V ' 

\\p s m 2 1 ' (> 

We can ask the manufacturer to provide in addition two 
measuring devices outside the blackbox corresponding to 
N2, A3. A test can be executed to verify that these equa- 
tions are satisfied (see the related discussion in the Intro- 
duction). Furthermore, as a matter of physical implemen- 
tation, to make sure that M' s and N's operate on H A , H B 
respectively, we can further demand that the buttons are re- 
placed by two measuring devices outside the blackbox. Is 
that sufficient to guarantee that we have at least an extended 
perfect system? 

Unfortunately, the answer is NO. It is not hard to con- 
struct examples where (4) is satisfied, but it is not an ex- 
tended ideal system (and in fact, security is gravely com- 
promised). 

However, as we will see, if we add one more measure- 
ment appropriately on each side, and perform the corre- 
sponding checks, then it gurantees to be an extended perfect 
system. That will be the main result of this paper. 

3 Main Theorem 

An 

object S = {H A ® H B , if, P±, P 3 ± , Rf, R±, Rf) 
is called an ideal source if the following are valid: 
each of Ha , Hb is a 2-dimensional Hilbert space with 
(a(0,2),a(l,2)),(a(0,3),a(l,3)) being a pair of or- 
thonormal basis of Ha satisfing equation (1), and 
(6(0, 2), 6(1, 2)), (6(0, 3), 6(1, 3)) being a pair of orthonor- 
mal basis of Hb satisfying equation (1); * is the Bell 
state (a(0, a)6(0, a)+a (l,a)b(l,a))/V2;P 2 + ,P 2 ~ are the 
projection operators on the states a(0,2), a(l,2) respec- 
tively; P 3 + , P 3 ~ are the projection operators on the states 
a(0,3), a(l,3) respectively. To describe P^, let a(x, 1) 



(x E {0, 1}) be the state a(x, 2) + a(x, 3) after being nor- 
malized to unit length. The states a(x, 1) and b(x, 1) have 
a particular status in our proof, and we alternatively de- 
note a(x, 1) = | at) and 6(x, 1) = \x) . Then P^,P^ 
are respectively the projection operators on the states |0), 
|1). As usual, we consider P£ and P£ ® I as two alterna- 
tive notations for one and the same projection operators on 
Ha <8> Hb- Clearly, P^, P 2 ± , P^ are the projection oper- 
ators on Ha ® -Hb corresponding to measuring P^ with 
respect to three bases of Ha (the bases for P^, P^ at an 
angle of — tt/8, +7r/8 with repect to the basis for Pp). 

The projection operators P^ , P^ , P^ operate on coor- 
dinates in Hb, and are similarly defined as the P's. Let 

Pa ,fi(x,y) = |KP||*>|| 2 . (5) 

These numbers can be easily computed. For exam- 
ple, pi, 2 (0,0) = (cos(V8)) 2 /2 and Pl , 2 (0,l) = 
(sin(V8)) 2 /2. 

A self-checking source 
S = (H A ® H b , |*), P 1 ± , P 2 ± , P 3 ± , Pf , Rf, P3 ) consists 
of an initial state |^) S Pa ® P_b, three measurements 
Pf* 1 , Pjk, P^ acting on coordinates in P^, and three mea- 
surements Rf , R^, Rf acting on coordinates in Hb, such 
that the following conditions are satisfied: 

I K^W 1 1 2 = PaA*>v)- ( 6 ) 

We will see that a self-checking source gives rise to an 
extended ideal system. 

An extended ideal source 
S=(H A ® H b , |*),P 1 ± ,P 2 ± , P±,R±,R±,Rf) is an or- 
thogonal sum of ideal sources in a similar sense as an ex- 
tended perfect system in relation to perfect systems. That 
is, if there is an index set /, orthogonal two dimensional 
subspaces Ki C Ha with at(x) (or alternatively di(x, 1)) 
denoting the state \x) in Ki, orthogonal two dimensional 
subspaces Hi C Hb with bi(x, a) (or alternatively bi(x, 1)) 
denoting the state \x)' in Hi, such that for some (possibly 
complex) numbers on on i E I with Y^iei \ a \ 2 = 1> 

* = ^q, (oi(0)® fci(0) +ffli(l)(8)6i(l)). 
iez 

Furthermore, for each i, for every projection P 6 
{Pj^, P^, P^}, P acts exactly on Ki like the correspond- 
ing projection on Ha in the ideal source case. That is, 
if P\x) = Ao|0) + Ai 1 1) in the ideal case, we have that 
Pa,i(x) = Aoai(0) + AiOi(l). The following fact is easy to 
verify. 

Fact 1 Any extended ideal source is a self-checking 
source. 

Also, it is clear that from any self-checking source, by 
omitting the measurements P^,Rf, one obtains a conju- 
gate coding source. 



Fact 2 The conjugate coding source obtained from an ex- 
tended ideal source must be an extended perfect system. 
The converse of fact 1 is our main theorem. 

Main Theorem Any self-checking source is an extended 
ideal source. 

It follows from the Main Theorem and Fact 2 that a self- 
checking source provides an adequate source for the BB84 
quantum key distribution protocol |Q, g]. 

We remark that in our definition of self-checking source, 
the restriction of the initial state to a pure state | ty) instead 
of a mixed state p is not a real restriction. Given a source 
with a mixed state p satisfying equation (6), we can con- 
struct one with a pure state \ty) (by enlarging appropriately 
Ha) satisfying (6). We can apply the Main Theorem to this 
new source, and conclude that it also gives rise to an ade- 
quate source for the BB84-protocol. 

It is well known, from discussions about EPR Experi- 
ments (see e.g. [p9|]), that quantities such as IIP^P^^)!! 2 
exhibit behavior characteristic of quantum systems that can- 
not be explained by classical theories. One may view our 
main result as stating that such constraints are sometimes 
strong enough to yield precise structural information about 
the given quantum system; in this case it has to be an or- 
thogonal sum of EPR pairs 

4 Proof of Main Theorem 

We give in this Section a sketch of the main steps in the 
proof. 

Let S={H A ® H B , |*), P 1 ± , Pf , Pf , Rf R t R f) be a 
self-checking source. We show that it must be an extended 
ideal source. 

In Section 4.1, we derive some structural properties of 
the projection operators as imposed by the self-checking 
conditions, but without considering in details the constraints 
due to the tensor product nature of the state space. In Sec- 
tions 4.2 and 4.3, the state is decomposed explicitly in terms 
of tensor products, and the properties derived in Section 4.1 
are used to show that this decomposition satisfies the con- 
ditions stated in the Main Theorem. 

4.1 Properties of Projections 

In this subsection, we present some properties of the pro- 
jected states (such as Pi^f, P 1 + P 2 ^5') as consequences of 
the constraints put on self-checking sources. The proofs of 
these lemmas are somewhat lengthy, and will be left to the 
complete paper. 

Lemma 1 For every a E {1,2,3} and x E {+, — }, we 
haveP** = P**. 



Let Vi € V, Wi € W for 1 < i < m, where V, W are two 
Hilbert spaces. We say that (vi, V2, • • ■ , v m ) is isormorphic 
to (iui, tU2j • • • , Wm) if there is an inner-product-preserving 
linear mapping / : V — > such that w; = / (v-i) for all i, 

Let = 7r/8, and ui, U2, • • • , U5 be elements of C 2 de- 
fined by 



Ml = 


(1,0), 




«2 = 


(cos 2 0, 


sin cos 0) 


""3 = 


(sin 2 0, 


— sin cos 


M4 = 


(cos 2 0, 


— sin cos 


M 5 = 


(sin 2 0, 


sin cos 0). 



Lemma 2 (ui, U2, • ■ • ,1*5) is isomorphic to 
\Z2(P x + tf , P^i^tf, Pj+P^*, Pi + P^*, P+P^*)- 

Lemma 3 Let h = PfB^W - Pj+P^ Then R[h = h. 

Lemma 4 Let fc = - (cos 0) 2 P+*. Then (P+ - 

P+)fc = 2(sin0 cos 0) 2 Pf *. 

Since there is a symmetry between the projection opera- 
tors P and P, the following is clearly true. 

Lemma 5 Lemmas 2-4 remain valid if the projection oper- 
ators P and R are exchanged. 

4.2 The Decomposition 

We now prove that the state \fr £ P4 ® Pb can be de- 
composed into the direct sum of EPR pairs. We begin with a 
decomposition of P + \l/, which is equal to P +, 5 by Lemma 
1. 

Lemma 6 One can write 

Pi + * = 5^a i o i (0)®& < (0) 

where I is an index set, are complex numbers, and 
ai(0) £ H A (i & I), h(0) S Ps(i S /) are two respec- 
tively orthonormal sets of eigenvectors of the operators P + 
(acting on Ha) and P + (acting on Hb)- 
Proof The lemma is proved with the help of Schmidt de- 
composition theorem [ |3(i| ] [pT|], We omit the details here. 
□ 

Let [3 = (2 sin 0COS0)- 1 . Define a,(l) = /3(P 3 + - 
P 2 + )a,(0), and 6i(l) = /3(P + - P + ) & *(°) for * e 7 - Let 
Pi C P,4 be the subspace spanned by <2j(0) and <2j(l); Let 
Pi C P# be the subspace spanned by 6, (0) and 6j(l). The 
plan is to show that 



ie/ 



and that Ki,Hi have all the properties required to satisfy 
the Main Theorem. 

In the remainder of this subsection, we use Lemmas 2-5 
to show that each Hi (Ki) behaves correctly under the pro- 
jection operators P^ (P?). In the next subsection, we com- 
plete the proof by showing that all Hi {Ki) are orthogonal 
to each other. 

By Lemma 2, (u\, u%, ■ ■ ■ , 115) is isomorphic to 
V2 (P + * , P+ P+ * , P + P^ P+P+*, P+ PJ #) . In 



particular, this implies that any linear relation ^ A 



j "3 3 







must also be satisfied if Uj are replaced by the appropriate 
projected states. Now 



p+* = 2J 

iS/ 



a<Oi(0) (g> 6i(0), 



P+P+* = ^ a,a,(0)®P+6i(0), 



iei 



Pi+Pg* = ^a,a,(0) ^36,(0), 

P+P+* = ^ a,a,(0)® P+6i(0), 
ie/ 

Pi+P^* = V a I a l (0)«)P^6 l (0). 



• <H(1) <8> &i(l)), 



This means that, for each i E I, any linear relation 
J2j ^jUj = must also be satisfied if we make the fol- 
lowing substitutions: 

u x «- 6,(0), 
u 2 <- P^6i(0), 
u 3 «- P3 6*(0), 
m 4 <- P^iCO), 
u 5 <- P 2 -6. ( (0). 

Lemma 7 For each i 6 7, [u\, 112, ■ ■ ■ , 115) is isomorphic to 

(6,(0), P+6,(0), P3 6,(0), P+6,(0), P 2 -6,(0)). 

Proof Use the preceding observation and the orthogonality 
between P + 6i(0) and P^~6i(0), and the orthogonality be- 
tween P + 6i(0) and P^~6j(0)). We omit the details here. □ 

Note that 6,(1) = /?(P + - P + )6,(0) by definition. 
^From Lemma 7, it is easy to see that 6j(l) is a unit vec- 
tor perpendicular to 6^(0). In fact, 6^(1) is mapped to the 
vector (0, 1) under the isomorphism in Lemma 7. 

^From Lemma 7, for the purpose of vectors in the 
space Hi, the projection operators P + ,P^" correspond to 
choosing the coordinate system obtained from the system 
(&i(0), 6^(1)) rotated by the angle 0; similarly, P + , P^ cor- 
respond to choosing a coordinate system obtained from the 
system (bj(0), 6,(1)) rotated by the angle —0. It remains 
to show that P + , P^ correspond to the coordinate system 



(6i(0),&i(l)) itself. By definition P + 6;(0) = 6,(0). It re- 
mains to prove that R^bi(l) = 6j(l). 

To do that, we use Lemma 3. Observe that 

h = P+P^t-P+P^* 

= ^^0,(0)0^+6,(0) 
iei 

-^a,a,(0)® i?+6,(0) 
iei 

= ^a,a,(0)®(i? + -i?+)6,(0) 
iei 

= /T 1 5^0^(0)® bi(l). 

iei 

Since R^h = h by Lemma 3, we must have Pf 6,(1) = 
6,(1). This completes the proof that the projection operators 
R* behave as required on the subspace Hi. 

As stated explicitly in Lemma 5, we can obtain the sym- 
metric statement that the the projection operators P* behave 
as required on the subspace i-Q. 

Now that we have determined the behavior of the projec- 
tion operators on Ki, Hi, we can in principle calculate any 
polynomial of the projection operators on the state P+ty. 
By Lemma 4, P^ty can be written as 

Pf* = 2/3 2 (P+ - P + )(P 2 + - cos 2 9)P+<$. 

This gives 

Pftf = 2/3 2 ^a,(P + -cos 2 6»)a,(0)®(P + -P + )6,(0). 
iei 

After applying the rules and symplifying, we obtain 

Pf* = 5^aiai(l)®6i(l). 
iei 

As * = P+* + Pf this proves 

* = ^ a,(a,(0) ® 6,(0) + a,(l) ® 6,(1)). 
iei 

4.3 Completing the Proof 

It remains to show that all Hi are orthogonal to each 
other. (A symmetric argument then shows that all K± are 
also orthogonal to each other.) 

Let i ^ j £ I. Assume that Hi is not orthogonal to 
Hj. We derive a contradiction. By definition, Hi is spanned 
by 6,(0), 6,(1), and Hj is spanned by 6, (0), 6,(1). Clearly, 
6j(l) and bj(l) are not orthogonal to each other, as all the 
other pairs (bi(x), bj(y)) are orthogonal. 



Choose a coordinate system for the space spanned by the 
four vectors such that 

6,(0) = (1,0,0,0), 

6,(1) = (0,1,0,0), 

6,(0) = (0,0,1,0), 

6,(1) = (0,s,0,i), 

where s ^ 0. From our knowledge about the behavior 
of P 3 , we infer that P + 6,(0) = (cos 9)w where w = 
cos Obj (0) + sin #6,(1) = (0, ssm9,cos9,tsin9). Sim- 
ilary, P^~6i(0) = (sm9)w' where w' = —sin 9bi(0) + 
cos9bi(l) = (- sin#, cos9, 0, 0). As the inner product of 
w and w' is s sin 9 cos 9 which is non-zero, we conclude that 
P + 6,(0) and Pg 6j(0) are not orthogonal. This contradicts 
the fact that P + , P^ are projection operators to orthogonal 
subspaces. This completes the proof. 

5 Concluding Remarks 

The security problem for imperfect source is a difficult 
one to deal with. The present paper is a step in only one 
possible direction. We have also limited ourselves to the 
simplist case when the correlation probabilities p a ,/3(x,y) 
are assumed to be measurable precisely. We leave open as 
future research topics for extensions to more general mod- 
els. 
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